HomeITSP.10.171 ControlsIdentification and Authentication › 03.05.09
ITSP.10.171 · 03.05.09

Identification and Authentication for Non-Organizational Users

Level 2 (Required April 2027)
IA — Identification and Authentication

Control Description

The Identification and Authentication for Non-Organizational Users control (03.05.09) within the Identification and Authentication family establishes requirements for Canadian defence suppliers handling controlled information under ITSP.10.171 / CPCSC.

Assessment Objective

Assessors verify that the organization has implemented and documented identification and authentication for non-organizational users practices consistent with ITSP.10.171 requirements, and that evidence demonstrates ongoing control effectiveness.

CPCSC Context

This control is part of the full 97-control ITSP.10.171 baseline required for CPCSC Level 2 third-party certification, expected to be mandatory from April 2027. Organizations should begin preparing now to ensure readiness.

How Solymus Helps

Solymus maps your evidence directly to ITSP 03.05.09, providing tamper-evident, KMS-signed receipts for every artifact you upload. The platform generates audit-ready evidence packages with per-artifact verification URLs that assessors can independently validate.

Begin with free Level 1 to establish your evidence chain, then upgrade to Level 2 when you need full 97-control coverage and third-party assessment readiness.

Frequently Asked Questions

What is ITSP 03.05.09 (Identification and Authentication for Non-Organizational Users)?

ITSP 03.05.09 is a security control in the Identification and Authentication family of ITSP.10.171, Canada's adaptation of NIST SP 800-171 Rev 3. It requires organizations to the Identification and Authentication for Non-Organizational Users control (03.05.09) within the Identification and Authentication family establishes requirements for Canadian defence suppliers handling controlled information under ITSP.10.171 / CPCSC.

Is ITSP 03.05.09 required for CPCSC Level 1?

No. ITSP 03.05.09 is required at CPCSC Level 2 (third-party certification, April 2027) but is not in the Level 1 subset of 13 controls.

How does Solymus help with this control?

Solymus provides a structured readiness assessment for ITSP 03.05.09, tamper-evident evidence collection with KMS-signed receipts, and exportable evidence packages that map directly to this control for audit submission.

Other IA — Identification and Authentication Controls

Start Your CPCSC Readiness Assessment

Free Level 1 assessment covers 13 controls. Build your tamper-evident evidence chain today.

Start Free (Level 1)